From b4ebb8b00356efde02d8323a4b6648b4415fd265 Mon Sep 17 00:00:00 2001 From: David Luevano Alvarado Date: Sun, 1 Aug 2021 04:13:25 -0600 Subject: tweak some things --- blog/dst/a/vpn_server_with_openvpn.html | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'blog/dst/a/vpn_server_with_openvpn.html') diff --git a/blog/dst/a/vpn_server_with_openvpn.html b/blog/dst/a/vpn_server_with_openvpn.html index 000e72a..e65fc14 100644 --- a/blog/dst/a/vpn_server_with_openvpn.html +++ b/blog/dst/a/vpn_server_with_openvpn.html @@ -233,8 +233,8 @@ verb 3 # Only usable with udp. explicit-exit-notify 1 -

# and ; are comments. Read each and every line, you might want to change some stuff (like the logging).

-

Now, we need to enable packet forwarding, which can be enabled on the interface level or globally (you can check the different options with sysctl -a | grep forward). I’ll do it globally, run:

+

# and ; are comments. Read each and every line, you might want to change some stuff (like the logging), specially the first line which is your server public IP.

+

Now, we need to enable packet forwarding (so we can access the web while connected to the VPN), which can be enabled on the interface level or globally (you can check the different options with sysctl -a | grep forward). I’ll do it globally, run:

sysctl net.ipv4.ip_forward=1
 

And create/edit the file /etc/sysctl.d/30-ipforward.conf:

@@ -243,6 +243,7 @@ explicit-exit-notify 1

Now we need to configure ufw to forward traffic through the VPN. Append the following to /etc/default/ufw (or edit the existing line):

...
 DEFAULT_FORWARD_POLICY="ACCEPT"
+...
 

And change the /etc/ufw/before.rules, appending the following lines after the header but before the *filter line:

...
@@ -260,7 +261,7 @@ COMMIT
 *filter
 ...
 
-

Where interface must be changed depending on your interface (in my case is ens3, another common one is eth0); I always check this by running ip addr, you will get a list of interfaces of which the one containing your public ip is the one that you want, for me it looks something like:

+

Where interface must be changed depending on your system (in my case it’s ens3, another common one is eth0); I always check this by running ip addr which gives you a list of interfaces (the one containing your server public IP is the one you want, or whatever interface your server uses to connect to the internet):

...
 2: ens3: <SOMETHING,SOMETHING> bla bla
     link/ether bla:bla
@@ -268,7 +269,7 @@ COMMIT
     inet my.public.ip.addr bla bla
 ...
 
-

And also make sure the 10.8.0.0/24 matches the subnet mask specified in the server.conf file (in this example it matches). You should check this very carefully, because I just spend a good 2 hours debugging why my configuration wasn’t working, and this was te reason (I could connect to the VPN, but had no external connection to the web).

+

And also make sure the 10.8.0.0/24 matches the subnet mask specified in the server.conf file (in this example it matches). You should check this very carefully, because I just spent a good 2 hours debugging why my configuration wasn’t working, and this was te reason (I could connect to the VPN, but had no external connection to the web).

Finally, allow the OpenVPN port you specified (in this example its 1194/udp) and reload ufw:

ufw allow 1194/udp comment "OpenVPN"
 ufw reload
@@ -277,7 +278,7 @@ ufw reload
 
systemctl start openvpn-server@server.service
 systemctl enable openvpn-server@server.service
 
-

Where the server after @ is your specific configuration, in my case it is called just server.

+

Where the server after @ is the name of your configuration, server.conf without the .conf in my case.

Create client configurations

You might notice that I didn’t specify how to actually connect to our server. For that we need to do a few more steps. We actually need a configuration file similar to the server.conf file that we created.

The real way of doing this would be to run similar steps as the ones with easy-rsa locally, send them to the server, sign them, and retrieve them. Nah, we’ll just create all configuration files on the server as I was mentioning earlier.

@@ -376,6 +377,7 @@ cd $CPWD